[R1] Barco ClickShare Multiple Script Remote Command Execution

The Barco ClickShare CSM-1 is a wireless presentation and collaboration system, that allows any meeting participant to share content on the central meeting room screen. Like many modern devices, it uses a web server for remote device configuration and maintenance. By default, the device installs with default administrator credentials (admin / admin) that can be changed after authenticating. These credentials can also be used to exploit multiple post-authentication remote command execution flaws.

CVE-2015-6532 - The first issue is due to the getLastCommitTimeStamp.php script not properly sanitizing user-supplied input to the id POST parameter. Supplying a Unix-based command between semi-colons (e.g. ;id;), the application will execute the command on the underlying operating system. Since the web server (lighttpd/1.4.26) runs with root privileges, this flaw can be used to take complete control of the device. Version 01.05.00.0032 was tested and found to be vulnerable, while 01.07.00.33 was not. Barco has since said that the 01.0.5x line has been "withdrawn as beta", while fixing it in a different code tree.

CVE-2015-6533 - The second issue is due to the /index.php/centralstore script not properly sanitizing user-supplied input when called with the docommand command. Supplying a Unix-based command between single quotes and semi-colons (e.g. ' ; id ; '), the application will execute the command on the underlying operating system. Since the web server (lighttpd/1.4.26) runs with root privileges, this flaw can be used to take complete control of the device. Based on the command invoked, the POST parameter required will change. For example, the addObject command would inject via the name parameter, and the unpairDongle command would inject via the serialnr parameter. Version 01.07.00.0033, the latest available at the time of testing, is affected.

While not a vulnerability, Tenable engineers noticed a clever utility included with the application, and would like to give props to Barco engineers:

# cat cn.php
<?php
function get_chuck_norris_quote() {
        $quotes = array();
        $quotes[] = "Chuck Norris calls the Button a dongle. Everyone agrees.";
        $quotes[] = "Chuck Norris installs version 1.0.0.0. Already has audio support.";
        $quotes[] = "Chuck Norris shares his screen and gives a presentation. Then he presses the Button.";
        $quotes[] = "Chuck Norris can access private methods.";
        $quotes[] = "Chuck Norris laughs in the face of unresolved symbol errors.";
        $quotes[] = "Chuck Norris rewrote the Google search engine from scratch.";
        $quotes[] = "When Alexander Bell invented the telephone he had 3 missed calls from Chuck Norris.";
        $quotes[] = "Chuck Norris doesn't call the wrong number. You answer the wrong phone.";
        $quotes[] = "Chuck Norris can cut through a hot knife with butter.";
        $quotes[] = "Chuck Norris tweets about having a bad day. Global economy slips into depression.";
        $quotes[] = "Chuck Norris counted to infinity - twice.";
        $quotes[] = "Chuck Norris can slam a revolving door.";
        $quotes[] = "Chuck Norris can win a game of Connect Four in only three moves.";
        $quotes[] = "Chuck Norris can speak French in Russian.";
        $quotes[] = "Chuck Norris can count the number of corners in a circle.";

        return $quotes[array_rand($quotes, 1)];
}
?>

Tenable has created two plugins for testing this device. The first, barco_clickshare_detect.nbin (Plugin ID 77248) will identify and fingerprint the remote device. The second, barco_clickshare_default_creds.nasl (Plugin ID 77249) will test for the presence of the default credentials. The device does not provide a method for remotely obtaining the version of the firmware, so an all-in-one-plugin to test for this issue cannot be created.